Add new policy_provider option to Salt; supporting Calico installation

cluster/saltbase/salt/calico/10-calico.conf

@@ -0,0 +1,16 @@
+{
+    "name": "calico-k8s-network",
+    "type": "calico",
+    "etcd_authority": "{{ grains.api_servers }}:6666",
+    "log_level": "info",
+    "ipam": {
+        "type": "host-local",
+        "subnet": "CBR0_CIDR"
+    },
+    "policy": {
+        "type": "k8s",
+        "k8s_api_root": "https://{{ grains.api_servers }}:443/api/v1",
+        "k8s_client_certificate": "/path/to/client/cert",
+        "k8s_client_key": "/path/to/client/key"
+    }
+}

cluster/saltbase/salt/calico/calico-policy-agent.manifest

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: calico-policy-agent
+  namespace: calico-system
+  labels:
+    version: latest
+    projectcalico.org/app: "policy-agent"
+spec:
+  hostNetwork: true
+  containers:
+    - name: policycontroller
+      image: caseydavenport/calico-policy-controller:latest
+      env:
+      - name: ETCD_AUTHORITY
+        value: "127.0.0.1:6666"
+      - name: K8S_API
+        value: "http://127.0.0.1:8080"
+      - name: LOG_LEVEL
+        value: "info"

cluster/saltbase/salt/calico/master.sls

@@ -0,0 +1,43 @@
+{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+
+calicoctl:
+  file.managed:
+    - name: /usr/bin/calicoctl
+    - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
+    - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
+    - makedirs: True
+    - mode: 744
+
+calico-etcd:
+  cmd.run:
+    - unless: docker ps | grep calico-etcd
+    - name: >
+               docker run --name calico-etcd -d --restart=always -p 6666:6666
+               -v /varetcd:/var/etcd
+               gcr.io/google_containers/etcd:2.2.1
+               /usr/local/bin/etcd --name calico
+               --data-dir /var/etcd/calico-data
+               --advertise-client-urls http://{{ grains.id }}:6666
+               --listen-client-urls http://0.0.0.0:6666
+               --listen-peer-urls http://0.0.0.0:6667
+               --initial-advertise-peer-urls http://{{ grains.id }}:6667
+               --initial-cluster calico=http://{{ grains.id }}:6667
+
+calico-policy-agent:
+  file.managed:
+    - name: /etc/kubernetes/manifests/calico-policy-agent.manifest
+    - source: salt://calico/calico-policy-agent.manifest
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    - dir_mode: 755
+    - context:
+        cpurequest: '20m'
+    - require:
+      - service: docker
+      - service: kubelet
+      - cmd: calico-etcd
+
+{% endif -%}

cluster/saltbase/salt/calico/node.sls

@@ -0,0 +1,62 @@
+{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+
+calicoctl:
+  file.managed:
+    - name: /usr/bin/calicoctl
+    - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
+    - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
+    - makedirs: True
+    - mode: 744
+
+calico-node:
+  cmd.run:
+    - name: calicoctl node
+    - unless: docker ps | grep calico-node
+    - env:
+      - ETCD_AUTHORITY: "{{ grains.api_servers }}:6666"
+      - CALICO_NETWORKING: "false"
+    - require:
+      - kmod: ip6_tables
+      - kmod: xt_set
+      - service: docker
+      - file: calicoctl
+
+calico-cni:
+  file.managed:
+    - name: /opt/cni/bin/calico
+    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.0/calico
+    - source_hash: sha256=2f65616cfca7d7b8967a62f179508d30278bcc72cef9d122ce4a5f6689fc6577
+    - makedirs: True
+    - mode: 744
+
+calico-cni-config:
+  file.managed:
+    - name: /etc/cni/net.d/10-calico.conf
+    - source: salt://calico/10-calico.conf
+    - makedirs: True
+    - mode: 644
+    - template: jinja
+
+calico-update-cbr0:
+  cmd.run:
+    - name: sed -i "s#CBR0_CIDR#$(ip addr list cbr0 | grep -o 'inet [^ ]*' | awk '{print $2}')#" /etc/cni/net.d/10-calico.conf
+    - require:
+      - file: calico-cni
+      - file: calico-cni-config
+      - cmd: calico-node
+      - service: kubelet
+      - service: docker
+
+calico-restart-kubelet:
+  cmd.run:
+    - name: service kubelet restart
+    - require:
+      - cmd: calico-update-cbr0
+
+ip6_tables:
+  kmod.present
+
+xt_set:
+  kmod.present
+
+{% endif -%}

cluster/saltbase/salt/kubelet/default

@@ -151,6 +151,8 @@
   {% set network_plugin = "--network-plugin=opencontrail" %}
 {% elif pillar.get('network_provider', '').lower() == 'cni' %}
   {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
+{%elif pillar.get('policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%}
+  {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
   {% set network_plugin = "--network-plugin=kubenet" -%}
   {% if reconcile_cidr_args == '' -%}

cluster/saltbase/salt/top.sls

@@ -15,6 +15,9 @@ base:
     - docker
 {% if pillar.get('network_provider', '').lower() == 'flannel' %}
     - flannel
+{% endif %}
+{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+    - cni
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
     - cni
 {% elif pillar.get('network_provider', '').lower() == 'cni' %}
@@ -44,6 +47,9 @@ base:
 {% endif %}
     - logrotate
     - supervisor
+{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+    - calico.node
+{% endif %}
 
   'roles:kubernetes-master':
     - match: grain
@@ -88,3 +94,6 @@ base:
 {% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %}
     - cluster-autoscaler
 {% endif %}
+{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+    - calico.master
+{% endif %}